Requests and responses by category

Ransomware

Under the Freedom of
Information Act 2000 I seek the following information about the
Department's cyber security strategy:

1. Has
your department been a victim of Ransomware?

2. If
Yes - did you pay to release your data?

3. If
yes, How much did you pay?

4. If
no, how did you gain back control of your data?

5. Do
you have the following in place:

a. Backup
- if yes

I.
What software do you use?

II.
When does your maintenance expire?

III.
How many TB of Data do you back up?

b. Firewall
- if yes:

I.
What firewall do you use?

II.
When does maintenance expire?

6. What
Email system do you use, how many users?

7. Are
you planning to migrate to Microsoft Office 365?

a. If
yes, why?

b. Will
you be adding extra security to this?

8. What
email security solution do you use?

9. Do
you use a public cloud provider, if so which one?

a. How
do you secure the data in the cloud?

I would prefer to receive this
information electronically, preferably as a data set, eg. in
Excel

Response

1. Has your department been a victim of
Ransomware? - No 2. If Yes - did you pay to
release your data? - N/A 3. If yes, How much
did you pay? - N/A 4. If no, how did you gain
back control of your data? - N/A 5. Do you
have the following in place: - a. Backup - if yes -
Yes I. What software do you use? -
CommVault II. When does your maintenance
expire? - End of December 2017 III. How many
TB of Data do you back up? - 13TB b. Firewall
- if yes: - Yes I. What firewall do you use? -
Refused - please see below
II. When does maintenance expire? - February
2022 6. What Email system do you use, how many users?
- MS Exchange 7. Are you planning to migrate
to Microsoft Office 365? - Information Not
Held a. If yes, why? - N/A b. Will
you be adding extra security to this? - N/A 8.
What email security solution do you use? - Refused -
please see below 9. Do you use a public cloud
provider, if so which one? - No a. How do you
secure the data in the cloud? - N/A
NOTICE OF REFUSAL Disclosure of
information relating to computer security constitutes a
security risk as it would leave the Council's computer assets
more vulnerable to a malicious hacking attack. This means that
disclosure would: • Make the Council more vulnerable to
crime (Section 31) • Risk harming the systems on which the
day-to-day business of the Council relies (Section 43) Section
31 (Law Enforcement) Section 31(1)(a) states that information
is exempt if its disclosure is likely to prejudice the
prevention or detection of crime. ICO guidance states that this
can be used to protect information on a public authority's
systems which would make it more vulnerable to crime. This
exemption can be used by a public authority that has no law
enforcement function: • To protect the work of one that
does • To withhold information that would make anyone,
including the public authority itself, more vulnerable to crime
The crime in question would be a malicious attack on the
Council's computer systems. Since the disclosure of the
withheld information would make the Council's systems more
vulnerable to such crime, the exemption is engaged. The
exemption is subject to the public interest test. There is an
overwhelming public interest in keeping the Council's computer
systems secure which would be served by non-disclosure. This
outweighs the public interest in accountability and
transparency that would be served by disclosure. Section 43
(Commercial Interests) Section 43(2) states that information is
exempt if its disclosure would, or would be likely to,
prejudice the commercial interests of any person (including the
public authority holding it). Disclosure of information
relating to computer security puts the council at risk of a
malicious hacking attack. This would compromise the Council's
ability to provide its services and carry out
'business-as-usual' should our systems be compromised. Were our
systems to be compromise, the cost of a system recovery would
be detrimental to the Council's commercial interests. The
exemption is subject to the public interest test. There is an
overwhelming public interest in keeping the Council's computer
systems secure which would be served by non-disclosure. This
outweighs the public interest in accountability and
transparency that would be served by disclosure.